1

I'm trying to get IdentityServer 6 in Blazor WASM (an Asp.Net hosted solution) to get to work with a Microsoft id but am running into the error message "AADSTS90023: Public clients can't send a client secret". I feel like I've tried every configuration I can think off but hopefully I still missed something.

The IdentityServer configuration uses the 'SPA' profile which I believe is correct for my scenario:

"IdentityServer": {
"Clients": {
  "Blazor.Client": {
    "ClientId": "Blazor.Client",
    "ClientName": "Blazor.Client",
    "Profile": "SPA",
    "RedirectUri": "https://localhost:15601",
    "LogoutUri": "https://localhost:15601"
  }
}

}

The configuration code follows the simplest example:

.AddMicrosoftAccount(options =>
            {
                options.ClientId = <clientId>;
                options.ClientSecret = <secret>
            })

Because these code snippets are basically the simplest way of doing this I'm assuming something is wrong with my AzureAD application registration but I can't figure out what. I've included the manifest:

{
"id": "<id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": false,
"appId": "<apiId>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2021-12-10T09:21:08Z",
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [
    "api://<apiId>"
],
"informationalUrls": {
    "termsOfService": null,
    "support": null,
    "privacy": null,
    "marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "<name>",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
    {
        "customKeyIdentifier": null,
        "endDate": "2023-12-10T09:21:45.315Z",
        "keyId": "<keyId>",
        "startDate": "2021-12-10T09:21:45.315Z",
        "value": null,
        "createdOn": "2021-12-10T09:21:57.2927675Z",
        "hint": "H1f",
        "displayName": "<displayName>"
    }
],
"preAuthorizedApplications": [],
"publisherDomain": "<publisherDomain>.onmicrosoft.com",
"replyUrlsWithType": [
    {
        "url": "https://localhost:15602/signin-microsoft",
        "type": "Spa"
    }
],
"requiredResourceAccess": [
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "<someId>",
                "type": "Scope"
            }
        ]
    }
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}

Is this scenario not supported or am I doing something wrong?

EDIT: ultimately the problem lied in the redirect uri platform which should not be set to 'SPA' but to 'Web' because it isn't the client doing the authentication but the IdentityServer web service. The relevant part would be:

    "replyUrlsWithType": [
    {
        "url": "https://localhost:15602/signin-microsoft",
        "type": "Web"
    }
TomMhC
  • 133
  • 6

1 Answers1

1
  1. The client secret actually must be kept secret, i.e; you cannot put it in the website and use it from a public front-end .Client credentials flow design says the same.
  2. Blazor webassembly applications are called a 'public application' in oAuth/openid terms.

Note: According to microsoft docs:

Public clients (native applications and single page apps) must not use secrets or certificates when redeeming an authorization code - always ensure that your redirect URIs correctly indicate the type of application

  • So try to disable the requirement for the client secret on the IdP and refresh tokens since they can't also be handled in a secure/safe way.

  • The recommendation is that you use code+PKCE for public clients, which happens automatically when you set the response_type to code.

Reference: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs

kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • Thank you for your reply - it set me off in the right direction. I hesitate to mark this as the answer because ultimately the solution lies a bit differently. I was in fact not sending secrets from the client - which is why the error message had me confused. The client contacts the IdentityServer api which server side contains the secrets. However for that to work the reply url must be of the 'Web' type, instead of the 'SPA' type (because like you mentioned, that doens't work with secrets). I replace the redirectUri and that works. Again, thanks for your reply! – TomMhC Dec 17 '21 at 18:52